Hacking Twitter’s New “Hexagon” NFT Profile Picture Feature
How Twitter’s new NFT PFP feature makes it easy to fake “ownership” of the most popular NFTs — and what they should do fix it.
TL:DR; I recently exploited Twitter’s new NFT Profile Picture feature. You can read all about how I spoofed my Bored Ape Yacht Club profile picture in this thread:
There’s this kind of magical synergy around NFTs that exists between Twitter, Discord, and OpenSea. You buy and sell your NFTs on OpenSea and you get inside info in the project’s Discord. Twitter is where you flex — by making your NFT your profile picture.
NFT Profile Pictures — The Ultimate Flex?
An NFT profile picture is a signal that you’re a part of the communities associated with it: if you own a Bored Ape, you’re a part of the BAYC community (as well as the broader web3 movement). It’s a flex when it proves you own a digital asset worth six figures (or more).
But many growth hackers have taken advantage of this association. This “right-click, save-as” behavior has been used to increase engagement and followers. There’s simply no way to know if a person’s profile picture is actually an NFT they own — and this is the problem Twitter’s new NFT PFP is designed to solve. The new hexagon shape was designed to give credibility to NFT profile pictures. The difference is easy to spot in all of the places your tiny profile pic shows up — they’ve done a great job visually differentiating the two:
A few people have joked about this and cropped their profile pictures into hexagons to “fake” the authentic shape. But it was easy to tell the fakes from the real hexagons. And only tapping on a real one gives you information about the NFT. Because the only way to get a true hexagon shape is by verifying you own the NFT that goes in it, the thinking goes, we’ll weed out the imposters. So long, scammers — we’ll know by the shape of your ape that you’re not its legitimate owner.
How I Hacked It
Having a hexagon PFP doesn’t mean what you think it means: it’s easy to fake.
I have an old contract on the Ethereum mainnet that I don’t use, and all I needed to do is change the tokenURI — the place that associates my tokens with the images and other metadata that make them an NFT — to match the tokenURI of another collection: in this case, I made my tokens look like Bored Apes.
Twitter’s new feature has put its trust completely in OpenSea for verification — and this was the SINGLE checkpoint that prevented me from making my PFP identical to a “real” ape. Can you spot the differences below?
Twitter is overly reliant on some really small visual signals to show which of these two is from the actual, verified collection. There are two small places where the verification is noted, but it’s in grey text and not very prominent.
Twitter’s solution works almost TOO well: after months of grinding in an effort to grow an NFT-focused audience, it suddenly became very easy. The shape of my new profile picture makes people believe it’s a credible, verified NFT — and very few people go through the extra steps needed to dig deeper. Limiting the feature to “Twitter Blue” subscribers seemingly lends additional credibility. “At least it’s behind a pay wall,” one person responded in a tweet.
Given that the hexagon is just as easy to fake as a regular NFT-based profile picture, the feature doesn’t work as intended. Sure, people could click to investigate and verify — but by the results of my small experiment, no one does. I’m not shocked that the vast majority of people don’t dig in and pay close attention the small details. It’s the exact playbook of every email/website phishing scam out there.
Recommendations
I hacked the feature out of love — this was meant as constructive criticism and I applaud Twitter for taking the leap and even launching this feature. So it’s only fair that I make some actionable recommendations for Twitter and the broader community.
Without some of these changes, the feature will likely be less valuable to people as scammers make fake collections: it won’t be the “flhex” people think it is now. People will also get scammed: they’ll think they’re talking to the owner of a genuine, verified item. They’ll get tricked into following growth hackers.
- Link collections to the verified twitter profiles/brands they’re associated with. The verified BAYC Twitter handle should be linked to the official contract address, and this should be a visible signal in the detail view.
- Increase the visibility of verification signals in the detail view. One of the most valuable aspects of this feature is proof of authentic ownership. Why is the ONLY provable metadata minimized? This is a visual design problem Twitter Design can solve.
- Stop relying entirely on OpenSea for this metadata. If OpenSea goes down, so does the feature. This also makes OpenSea an official arbiter of whose collections are credible on Twitter — do we really want to designate them as the central authority on authenticity? They still haven’t verified Anonymice, for example. WTF not?
- OpenSea should prohibit the use of identical collection photos and word-for-word, copy-paste descriptions for collections. It was way too easy to make 90% of the collection mirror the real listings for BAYC.
- Decentralize the Verification of Collections. As more platforms begin to support web3 features — for example, verified ownership of a profile picture from an elite collection — they’ll need to be able to tell the difference between legitimate collections and fake ones. Today, this is still left up to centralized entities like OpenSea. Social media platforms will either rely on third parties like OpenSea for verification, or they’ll verify them on their own. A better solution is a decentralized way to legitimize collections — one that acts as the single source of truth (kind of like a master list) that every platform can check against. This would also help lesser-known (but very legitimate) collections get verified, too.
Time to flex — check out my new, hexagon PFP:
